Can I upload custom app onto the ABM? if yes then how can we install it into the user's devices?

Hello folks, I stumbled upon a weird CNContact serialization problem. I use the Contacts framework to update the AIM field, which is one of the instantMessageAddresses within a single Contact. Here is the simplified code I used: func updateAIMFieldOn(contact: CNContact, aimValue: String) { do { guard let mutableContact = contact.mutableCopy() as? CNMutableContact else { logger.error("[CM] Couldn't update contact with aim \(aimValue)") return } var updatedAddresses = mutableContact.instantMessageAddresses updatedAddresses.append(CNLabeledValue(label: "", value: CNInstantMessageAddress(username: aimValue, service: CNInstantMessageServiceAIM))) mutableContact.instantMessageAddresses = updatedAddresses let saveRequest = CNSaveRequest() saveRequest.update(mutableContact) try CNContactStore().execute(saveRequest) logger.verbose("Contact's AIM updated successfully!") } catch { logger.error("Couldn't update contact") } } And after serializing the contact to data, and then deserializing, the contact got two AIM fields with the same value: X-AIM;type=pref:some:part:of_my_aim_value IMPP;X-SERVICE-TYPE=AIM;type=pref:some:part:of_my_aim_value Why does it work in this manner? Is it possible that ":" char causes that? Format of my aim username is {some:part:of_my_aim_value}. I didn't find any information in the docs. Thanks!

Hi, I developed a Platform Single Sign-On extension and a corresponding extension for my IdP, which is Keycloak based. The code for both projects are here: https://github.com/unioslo/keycloak-psso-extension and https://github.com/unioslo/weblogin-mac-sso-extension I realized that, when using the Secure Enclave as the AuthenticationMethod, and according to Apple's documentation, the Extension doesn’t obtain fresh ID Tokens when they expire if the refresh token is still valid. When using password as the Authentication Method, it fetches new ID tokens when they expire, without prompting the user for credentials, by using the refresh token. My suggestion is that the same behavior should be implemented for Secure Enclave keys. The thing here is that usually, on OIDC flows, the ID/Access tokens are short-lived. It would make sense for the extension to provide fresh ID tokens. It doesn’t seem to make sense for me that, when using passwords, the extension would fetch these tokens, and not when having the Secure Enclave key. By not doing this, Apple almost forces the developer of an extension to fetch new ID tokens themselves, which doens’t make sense when it clearly provides fresh tokens when using passwords. It almost forces the developers to either implement that logic themselves, or to issue longer tokens, which is not so nice. How so you deal with this? Do you simply use the refresh token as an authentication token, or do you do some sort of manual refresh on the extension?

It's a great platform to grow your knowledge. Apple Teacher

Hey all, how long does bank account validation take typically? I have everything else in my paid agreement approved and showing active except the bank account. It says 24 hours but it has been over 3 days and there has been no progress.

Last year I used the iOS Distribution Managed Certificate (Enterprise Program) to sign an App and to distribute it internally. The Cert is still valid until May 2026. But its associated Provisiong Profile (which is not visible in the Apple Portal, but within Xcode when you export your archive) expired last week. Until then it was impossible for me to somehow force renew the profile and that lead to the fact that my app was not usable for a day, because the renewal was done after the expiration of the old one. Whats the whole point of the managed signing if can't influence the provisioning update. To be clear: I don't speak about the certificate - just about the profile. Or am I using it wrong?

I registered in this summer, uploaded 2 apps. But recently I decided to add iAP to my apps, everything is ready, in Xcode sandbox everything works fine, but when I uploaded new version to TestFlight to test, when I tap on the subscription it says something like "Product not found". (I have added subscriptions to the app, and added them to the version before submitting, also, this version is in status "awaiting developer release" so I can tap a button and this new version with iAPs will be on App Store. But im unsure what to do, because exactly this verified by Apple's version is not working in TestFlight.) In Business section of my Apple Developer Account in Agreements I only have agreement of free apps, but not about the paid apps. 
When I registered I used my (R)(us)sian passport, I think this is the reason that I simply don't even have the agreement of paid apps to accept it. 
I have multiple passports, and multiple EU debit cards. I emailed apple to change the location of my account (to another EU country), but they ghosted me. They sent me emails to upload documents about 4 or 5 times, every time I uploaded my another passport, got an auto email "thank you, we will write you in 2-3 days", but either they did not write me, or they said that the document is not in English (it isn't). 
What do I do? Also, to my situation, someone of my family has a company in (R)(us)sia, and I have in EU (Estonia). Maybe if nothing will work out with "Individual account", I should change to my company? And what is better EU or (R)(us)sian? 
Im new to this community, hope to hear an answer, or just an advice. Thank you!

We intend to sell in india markets. In india our tax compliance is GSTIN which is also highlighted in your "Provide tax information for alternative payment options" section. We will not be making any sale outside India and hence are not liable for any tax compliance or withholding of tax outside india. Please guide us on how we should fill the tax forms.

We are upgrading macOS (minor versions and potentially major versions) using a scripted approach: Install the InstallAssistant package via installer Trigger OS install via startosinstall On MDM-managed assets, OS update policies appear to prohibit or interfere with the update flow. The update often fails with startosinstall reporting “Helper tool crashed…” during the “Preparing” phase. Steps to Reproduce On an MDM-enrolled Mac with OS update restriction/deferral policies applied, run: sudo /usr/sbin/installer -pkg /Path/To/InstallAssistant.pkg -target / && echo 'MACOS_PASSWORD' | /Applications/Install\ macOS\ Sonoma.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --stdinpass --user MACOS_USER Actual Result Package installation reports success, but startosinstall fails during preparation with: Standard Output installer: Package name is macOS15.7_SoftwareUpdate installer: Upgrading at base path / installer: The upgrade was successful. By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms. If you do not agree, press CTRL-C and cancel this process immediately. Preparing to run macOS Installer... Preparing: 0.0% Preparing: 0.1% ... Preparing: 24.9% Standard Error Helper tool crashed... notes.log Install.log is also attached. Questions for Apple / Ask: We suspect this crash is caused by MDM OS update restrictions/policies. We need Apple’s recommended method to perform macOS updates (minor + major) when MDM is present, especially in environments where update deferrals/restrictions may be configured.

I applied over a month ago and haven't heard back to the Apple Small Business Program. What should I do to speed things up?

Hello We have devices setup with in ABM and managed with Intune. Having only ever setup shared iPad's, we have a new request with managing iPhone's. The customer wants the iPhone's managed, but users enabled to purchase apps for the app store using their own credit card (or Apple ID) These are not BYOD devices and federated sign is not an option at this time. Can this be done with example User affinity profiles? Many thanks

I have come across this Hideable attribute for managed apps, introduced in iOS 18.1, and I've encountered some behavior that seems to contradict the official documentation. According to Apple's documentation for app.managed.yaml, setting the Hideable key to false under the Attributes section should prevent a user from hiding the app. The documentation explicitly states: If false, the system prevents the user from hiding the app. It doesn't affect the user's ability to leave it in the App Library, while removing it from the Home Screen. I have configured this in my app.managed.yaml and successfully applied the profile to my test device via our MDM server. However, I am still able to hide the application from both the Home Screen and the App Library. Here are the steps I'm taking to hide the app: Long-press the app icon on Home Screen Select "Require Touch ID" Select "Hide and Require Touch ID" Authenticate using Touch ID Select "Hide App" After these steps, the app is no longer visible on the Home Screen or in the App Library, which is contrary to the behavior described in the documentation for when Hideable is set to false. My question is: Is this a known issue or a potential bug in iOS 18.1? Or, is there an additional configuration profile or a specific device supervision requirement that I might be missing to enforce this restriction correctly? Any clarification would be greatly appreciated! Thank you!

We are expering frequent delays recently when associating a device serial with the adamid of an app in our business manager account. I get an event id back when calling the /associate api but when i check the status of that event id is can be sat in a pending state for sometimes several hours. Need to understand why and if its a configuration issue

Hi Apple team and community, We’re currently integrating with the Apps and Books for Organizations API as part of our device management solution and would like to highlight a few critical points we've encountered — including a reliability issue, an enhancement suggestion, and a request for clarification on API rate limits. 1. Issue: Intermittent 403 Errors with stoken-authenticated-apps Endpoint We are encountering intermittent 403 Forbidden responses from the stoken-authenticated-apps endpoint. Approximately 30–35% of the requests fail with a 403 status code. These failures are inconsistent — the same request (using the same Content Token and Storefront) may succeed upon retry. All requests are properly authenticated and include the required Cookie and other headers as specified in the API documentation. This issue is impacting our ability to reliably fetch app metadata at scale, particularly in workflows. We’d like to know: Is this a known issue? Could it be due to a rate limit or token misconfiguration? Are any changes required on our end to avoid these failures? 2. Enhancement Request: Include externalVersionId in versionHistory Response The versionHistory extension currently returns: versionString releaseNotes releaseDate However, for Declarative Device Management (DDM) workflows such as App Pinning, we need the externalVersionId as well. Without it, we can't reliably correlate version metadata with the specific version ID required for pinning. Adding externalVersionId would: Enable precise version targeting during App Pinning Improve reliability and automation in managed deployments We request that Apple consider including externalVersionId in the versionHistory response to better support DDM-based app lifecycle management. 3. Rate Limit Clarification We found the following note in the Apps and Books for Organizations API documentation: "The Apps and Books for Organizations API limits the number of requests your app can make using a developer token within a specific period of time. If you exceed this limit, you’ll temporarily receive 429 Too Many Requests error responses for requests that use the token. This error resolves itself shortly after the request rate has reduced." While this confirms that a rate limit is enforced, there is no detailed information about the thresholds — such as the number of allowed requests per minute, hour, or day per developer token. To help us implement proper throttling and retry strategies, we request clarification on the following: What is the exact rate limit threshold per developer token? Are there per-endpoint limits, or is it a global cap for all requests using the token? Does the API return a Retry-After header when the limit is exceeded? What is the recommended backoff strategy for clients to follow when receiving 429 errors? This information would help us implement efficient throttling and error handling logic. Any insights from the Apple team or other developers who’ve encountered these issues would be greatly appreciated!

short version question: why some users after deleting and downloading back my in-house app, cannot start the new process for approving developer, but instead it tries to start and then crashes immediately? long question version I am maintaining an in-house distributed enterprise app. due to update in iOS 18 update here users need to trust the developer via a new procedure that involves restarting device and inserting the phone code. after thousands (more or less 30.000) of users with no issue at all, some of them has this problem, the old (expired)trust seems to be persistent and never updated. Standard events a user deletes the app via settings > general > VPN & device management or via classic persistent touch procedure checks no other presence of the app is on the device via spotlight. since it is the only app with "MyDeveloperName" on the phone, if users goe back to VPN & device management screen, no app or developer will be present. user downloads new version of the app. If taps directly on the icon there is a system alert with says the developer must be trusted. a this point in settings > general > VPN & device management you can find a line with developer name, tapping on it we find a screen where user finds a white button with BLUE message "authorize MyDeveloperName" and follows procedure. My issue is that some users get following different behavior, and I do not understand why: ❌ tapping on downloaded app icon: no alert, but app tries to start then crashes. ❌ going in VPN & device management screen there is only RED write button "delete app" in both paths, working and not working, the app results "verified" in VPN & device management screen (Apple says old authorizations are preserved.)

Hello, I'm currently working on implementing app installation features, referencing the app.managed.yaml declaration on GitHub: https://github.com/apple/device-management/blob/0a4527c5ea21825fd23e08273ccdb9e2302458ce/declarative/declarations/configurations/app.managed.yaml My question pertains to the InstallBehavior.Version key. The current specification indicates its type as <integer>: key: Version title: Version supportedOS: iOS: introduced: '26.0' macOS: introduced: '26.0' visionOS: introduced: '26.0' type: <integer> Is there a way to specify the app version using a string format, such as x.y.z, instead of the integer (App Store External Version Identifier - EVID)? Allowing for a simpler version specification would make app version management through MDM more flexible and efficient. I believe this would significantly streamline the deployment and operation of Apple devices within organizations. Any guidance or consideration for this would be greatly appreciated. Thank you.

I'm using Apple's MDM protocol InstalledApplicationListCommand to get information about installed apps. From iOS/iPadOS 26, the app information obtained by InstalledApplicationListCommand includes information on all apps including system apps (apps that come standard with iOS/iPadOS). https://developer.apple.com/documentation/devicemanagement/installed-application-list-command I want iOS/iPadOS26 to get the same information as the app information I get from the previous iOS/iPadOS, and I want to exclude system apps from the app information I get with the InstalledApplicationListCommand. As a way to exclude system apps, you can use the app ID I'm thinking of a way to exclude anything that starts with "com.apple" (the Identifier key value of the InstalledApplicationListResponse.InstalledApplicationListItem object). As a way to exclude system apps, please tell us whether the above method is appropriate and whether there will be any problems in the future.

I want to install Chrome extension via configuration profile without user needing to go to System Settings and install profile manually. Can i install configuraation profile by making user only interact with my app?

Hello All, I am currently attempting to get application config working with enterprise apps but it seems as though the asset config is not applying at all. While the asset and application install correctly it does not seem that the config is read at all judging from the status message returned. "StatusItems" : { "app" : { "managed" : { "list" : [ { "name" : "apps", "config-state" : { "app-config-state" : { "state" : "unknown" } }, "identifier" : "app.identifier", "version" : "3.2", "short-version" : "3.2.0", "state" : "managed", "declaration-identifier" : "dec-identifier" } ] } } }, "Errors" : [ ] } The asset file being sent down is as follows: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Config 1</key> <string>Value 1</string> <key>Config 2</key> <string>Value 2</string> <key>Config 3</key> <string>Value 3</string> </dict> </plist> This is the config report being sent back by the device after everything has been fetched: "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "group.activation.payload", "valid" : "valid", "server-token" : "56792E4AE25C3286640B45E6BD265AE97545B2B87F90A6355919FD8B2E3C3AB3" } ], "configurations" : [ { "active" : true, "identifier" : "app.install", "valid" : "valid", "server-token" : "34D7ACECAE16EE9EEAC0630FF2FF85524FFBB5BA3CB18CFB6296FBC860368C85" }, { "active" : true, "identifier" : "ios.policy.subscription.list", "valid" : "valid", "server-token" : "376913E11BE7D26EC745B3B68C6FA94C4FC061B1B736D143EBE0F12FF73ADFF8" } ], "assets" : [ { "active" : true, "identifier" : "app.config.reference", "valid" : "valid", "server-token" : "1CFBE30EB56309005F742D667B80242E6A3CDC08ED228D0BC5F87749C6BBAB77" } ], "management" : [ ] } }, "app" : { "managed" : { "list" : [ { "state" : "downloading", "declaration-identifier" : "app.install", "identifier" : "app.identifier", "name" : "apps", "config-state" : { "app-config-state" : { "state" : "unknown" } } } ] } } }, "Errors" : [ ] } Additional info would be useful, though a sysdiagnosis will be submitted to feedback as well. Config did apply correctly when sending down through Install application command

Hello, I am running into a bit of an issue with the Screen Timeout/Screen Lock setting and would like some clarification on. First for a bit of context, I am enrolling personal iOS devices 18.0+ into the company MDM (Intune) with Account Driven User Enrollment. We are trying to set a screen timeout of 5 minutes and immediately after it asks for the passcode on the device, though this setting is not being applied and the device timeout setting can be set as "Never" on the user's end. This is a big security risk for the company I work for and and the issue with being HIPAA compliant. According to the Microsoft Intune Support, "In iOS 18, when using Account-Driven User Enrollment for BYOD (Bring Your Own Device) scenarios, the screen lock timeout setting is indeed marked as “Not Applicable”. This is because Apple’s privacy-preserving model for personal devices restricts administrative control over system-level settings like screen lock or idle timeout." I am needing clarification on the item mentioned from Microsoft Intune Support and if this setting is no longer able to be applied from the MDM with devices enrolled with Account Driven User Enrollment?